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DETAILED ACTION 

Continued Examination Under 37 CFR 1.114 

A request for continued examination under 37 CFR 1.114, including the 
fee set forth in 37 CFR 1 .17(e), was filed in this application after final rejection. 
Since this application is eligible for continued examination under 37 CFR 1.114, 
and the fee set forth in 37 CFR 1 .1 7(e) has been timely paid, the finality of the 
previous Office action has been withdrawn pursuant to 37 CFR 1 .1 14. 
Applicant's submission filed on 5/4/2009 has been entered. Claims 25 and 30 are 
amended. Claims 25-30 are pending. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 
all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 1 02 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

1 . Claims 25-30 are rejected under 35 U.S.C. 1 03(a) as being unpatentable 
over Cohen et al. (US Patent Publication No. 2004/0148521 and Cohen 
hereinafter) and Copeland (US Patent No. 7,290,283), in view of Ricciulli (US 
Patent No. 6,473,405) and further in view of Bar et al. (US Patent Publication No. 
2005/0021740 and Bar hereinafter). 
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2. As to claim 25, Cohen teaches a method for detecting attacks on a data 
communications network, the method comprising: using an intrusion detection 
sensor (e.g., IR) comprising intrusion detection code for: monitoring data traffic 
(e.g., traffic from the East, West, North, and South) on the network comprising a 
first group of addresses assigned to known users and a second group of 
addresses that are not assigned to the known users (see paragraph 120); 

identifying an address belonging to the second group of addresses (i.e., ... 
teaches if it has been identified that TCP traffic from 10.2.3.4 to 10.2.3.5 on 
South is not authorized, the IR can cause attempted traffic of this sort in the 
South network to fail to operate correctly. In other words, while an IR according 
to specific embodiments of the invention may not do as well at protecting insiders 
from other insiders as it will for protecting insiders from outsiders [par. 122]); 

spoofing a reply to a request associated with the identified address in 
order to detect data indicative of an attack (i.e., ... teaches spoofing is 
accomplished by in essence changing the source and destination fields by an 
offset. For example, an IR can be configured to translate a whole class B 
address space into another class B address space by offsetting all of the 
addresses by the difference between the two class B address spaces. From 
10.2.*.* to 10.25.*.*, the translation is to add 23 to the class B field of the address 
space [par. 101]); listening for a response to the spoofing (i.e., ... teaches an ssh 
server is configured to listen on port 976 on the loopback interface, even though 
there is no real IP address on the IR [par. 227]); 
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determining from the response that the request is suspicious [par. 38]; 
generating an alert signal instructing a router to reroute the data traffic originating 
at the address assigned to the system transmitting the suspicious request to a 
disinfection address on the network (i.e., ... teaches reverser takes responses 
from that redirected destination and undoes the redirection for return packets so 
that they go back to the sender as if they came from the IP address they thought 
they sent the original packets to [par. 91]); 

Cohen does not teach: sending an alert message to the disinfection address, 
wherein said alert message comprises attack identity data; 

However, these features are well known in the art and would have been an 
obvious modification of the system disclosed by Cohen as introduced by 
Copeland. Copeland discloses: 

sending an alert message to the disinfection address, wherein said alert 
message comprises attack identity data (to transmit an alert message containing 
attack identity data [col. 22, lines 55-60]); 

Therefore, given the teachings of Copeland, a person having ordinary skill in the 
art at the time of the invention would have recognized the desirability and 
advantage of modifying Cohen by employing the well known features of 
transmitting an alert message containing attack identity data disclosed above by 
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Copeland, for which network intrusion analysis will be enhanced [col. 22, lines 
55-60]. 

Cohen in view of Copeland does not teach: and billing an entity for execution of 
at least one of the method steps, the charge being billed determined in 
dependence of one of: a size of the network, a number of the second group of 
the addresses monitored, a number of the first group of the addresses monitored, 
a volume of the data traffic inspected, a number of attacks identified, a number of 
the alert messages generated, a signature of the identified attack, a volume of 
rerouted data traffic, a degree of network security achieved, and a turnover of 
said entity. 

However, these features are well known in the art and would have been an 
obvious modification of the system disclosed by Cohen in view of Copeland as 
introduced by Ricciulli. Ricciulli discloses: 

and billing an entity for execution of at least one of the method steps, the 
charge being billed determined in dependence of one of: a size of the network, a 
number of the second group of the addresses monitored, a number of the first 
group of the addresses monitored, a volume of the data traffic inspected, a 
number of attacks identified, a number of the alert messages generated, a 
signature of the identified attack, a volume of rerouted data traffic, a degree of 
network security achieved, and a turnover of said entity (for purposes of billing for 
security relative and network traffic routing function Ricciulli provides the 
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capability to provide cost analysis for pertinent security and network traffic control 
functions as prescribed by Cohen in view Copeland [Ricciulli; abstract]. Cohen in 
view of Copeland and Ricciulli provides a robust and scalable system warranting 
the desirability to provide billing for the execution of process steps relative to 
security and network traffic control). 

Therefore, given the teachings of Ricciulli, a person having ordinary skill in the art 
at the time of the invention would have recognized the desirability and advantage 
of modifying Cohen in view Copeland by employing the well known features of 
network security and traffic control cost determination disclosed above by 
Ricciulli, for which network security and traffic control will be enhanced [Ricciulli; 
abstract]. 

The combination of Cohen, Copeland and Ricciulli does not expressly teach: 
assigning unassigned addresses to an intrusion detection sensor such 
that any traffic directed at an unassigned address automatically arrives at the 
IDS. 

However, these features are well known in the art and would have been an 
obvious modification of the system disclosed by the combination of Cohen, 
Copeland and Ricciulli as introduced by Bar. Bar discloses: 

assigning unassigned addresses to an intrusion detection sensor such 
that any traffic directed at an unassigned address automatically arrives at the IDS 
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(to provide group of addresses to be monitored may be set by a system 
administrator (i.e., IDS) . Said group include unassigned "trap" addresses such 
that the trap addresses are not used by any actual computers in area and 
therefore incoming traffic destined for any of these trap addresses is anomalous 
and analyzed by the IDS [par. 62]). 

Therefore, given the teachings of Bar, a person having ordinary skill in the art at 
the time of the invention would have recognized the desirability and advantage of 
modifying the combination of Cohen, Copeland and Ricciulli by employing the 
well known feature of trap (e.g., unassigned addresses) for which incoming 
anomalous traffic is detected as disclosed above by Bar, for which will enhance 
anomalous traffic detection [par. 62]. 

3. As to claim 26, Cohen teaches a method where the step of determining 
from the response comprises receiving no response within a specified time 
period (i.e., ... teaches comparing an incoming datagram to a set of 
stimulus/response rules, each rule providing a particular action to be performed 
regarding a datagram that matches that rule's associated stimulus [claim 20]). 

4. As to claim 27, Cohen teaches a method where the step of determining 
from the response comprises receiving the response within a specified time 
period and comparing said response (e.g.. packet) to the attack identity data 
stored (i.e., matching rule) in memory, wherein the memory stores signatures 
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identifying known attacks (i.e., ... teaches comparing an incoming datagram 
against one or more rules to determine a matching rule for a particular datagram, 
[claim 19] ... further teaches comparing an incoming datagram to a set of 
stimulus/response rules, each rule providing a particular action to be performed 
regarding a datagram that matches that rule's associated stimulus [claim 20]). 

5. As to claim 28, Cohen teaches a method where sending the alert 
message (i.e., response) comprising the attack identity data comprises sending 
data indicative of signatures (i.e., fingerprints) of identified known attacks (i.e., ... 
teaches IR is designed to utilize OS fingerprints from the Xprobe2 fingerprints file 
which can be obtain from Xprobe2 in order to spoof ICMP responses to Xprobe2 
scans [par. 272]). 

6. As to claim 29, Cohen teaches a method where the monitoring step 
comprises listening only for the data traffic directed to the second group of 
addresses [par. 272]. 

7. Claim 30 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Cohen in view of Copeland and further in view of Bar. 

8. As to claim 30, Cohen teaches a method comprising steps of: using a 
disinfection server for: receiving an alert message sent from an intrusion 
detection sensor (i.e., ... teaches reverser takes responses from that redirected 
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destination and undoes the redirection for return packets so that they go back to 
the sender as if they came from the IP address they thought they sent the 
original packets to [par. 91]), sending a warning message (e.g., response) to an 
address assigned to the system, wherein said warning message comprises 
program code for eliminating the network attack when executed by the system 
originating the data indicative of the attack (i.e., ... teaches a command transmits 
a packet back to its sender while flipping one or more of the sending and 
receiving MAC, IP, and PORT values of the packet. Generally, 

the packet is transmitted out of the same interface where it arrived and 
thus this command can be used on a logic module according to specific 
embodiments of the invention that has only one network interface. This type of 
response can cause an attacker to potentially connect back to their own 
computer system and possible divert any malicious action back at the attackers 
own computer system [par. 88]); supporting an entity in handling of the detected 
attack by one of providing instructions for use of, assistance in executing (e.g., 
counter action), and execution of disinfection program code (i.e., ... teaches a 
one or more distinct deceptive responses can be provided to an incoming packet 
.... further teaches FIG. 6 is a flowchart illustrating a general method for providing 
counter actions against attacking information systems according to embodiments 
of the present invention [par. 86]); and providing a report to the entity containing 
information related to one of alert, disinfection, rerouting, logging, and discarding 
of data traffic in the context of the detected attack (i.e., ... teaches logs to syslog 
or other file or logging method or system for capture and analysis by remote 
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devices [par. 260]) Cohen does not teach: said alert message comprising data 
indicative of signatures of identified known attacks for identifying a system 
originating data indicative of a network attack; 

However, these features are well known in the art and would have been an 
obvious modification of the system disclosed by Cohen as introduced by 
Copeland. Copeland discloses: said alert message comprising data indicative of 
signatures of identified known attacks for identifying a system originating data 
indicative of a network attack (to transmit an alert message containing attack 
identity data [col. 22, lines 55-60]); 

Therefore, given the teachings of Copeland, a person having ordinary skill in the 
art at the time of the invention would have recognized the desirability and 
advantage of modifying Cohen by employing the well known features of 
transmitting an alert message containing attack identity data disclosed above by 
Copeland, for which network intrusion analysis will be enhanced [col. 22, lines 
55-60]. 

The combination of Cohen and Copeland does not expressly teach: 

assigning unassigned addresses to an intrusion detection sensor such 
that any traffic directed at an unassigned address automatically arrives at the 
IDS. 
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However, these features are well known in the art and would have been an 
obvious modification of the system disclosed by the combination of Cohen and 
Copeland as introduced by Bar. Bar discloses: 

assigning unassigned addresses to an intrusion detection sensor such 
that any traffic directed at an unassigned address automatically arrives at the IDS 
(to provide group of addresses to be monitored may be set by a system 
administrator (i.e., IDS). Said group include unassigned "trap" addresses such 
that the trap addresses are not used by any actual computers in area and 
therefore incoming traffic destined for any of these trap addresses is anomalous 
and analyzed by the IDS [par. 62]). 

Therefore, given the teachings of Bar, a person having ordinary skill in the art at 
the time of the invention would have recognized the desirability and advantage of 
modifying the combination of Cohen and Copeland by employing the well known 
feature of trap (e.g., unassigned addresses) for which incoming anomalous traffic 
is detected as disclosed above by Bar, for which will enhance anomalous traffic 
detection [par. 62]. 

Response to Arguments 

Applicant's arguments with respect to claims 25-30 have been considered 
but are moot in view of the new ground(s) of rejection. The Examiner contends 
Bar provides the assignment of unassigned address for purposes of anomalous 
traffic detection. 
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Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to BRYAN WRIGHT whose telephone number is 
(571)270-3826. The examiner can normally be reached on 8:30 am - 5:30 pm 
Monday -Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, William Korzuch can be reached on (571) 272-7589. The 
fax phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). If you would like assistance from a USPTO Customer Service 
Representative or access to the automated information system, call 800-786- 
9199 (IN USA OR CANADA) or 571-272-1000. 
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